Defending against attacks from bogus DHCP servers

If a bogus DHCP server is deployed on the user side, STAs may obtain invalid IP addresses from the bogus DHCP server but not from an AC or authorized DHCP server.
To prevent such a problem, disable the DHCP trusted port in an AC's service set view (for V200R005 or an earlier version) or VAP profile view (for V200R006 or a later version). A bogus DHCP server sends three types of DHCP packets: Offer, ACK, and NACK. When receiving any of these DHCP packets from a user-side interface, an AP considers the packet sender as a bogus DHCP server. If the AP is a Fat AP, it discards the packet. In the AC+Fit AP networking, the AP discards the packet and reports the bogus DHCP server information to the AC.

Scroll to top